deadwood-sec 0.1.0

A self-hosted web-security range, leveled tutorial-to-impossible — the practice town for wraith and hickok.

deadwood

A self-hosted web-security range that doubles as a tutorial — graded levels from the first trivial injection to the deliberately near-impossible. It's the practice town for the dead man's hand: scout each room with wraith, take it with hickok, capture the flag, then read the vulnerable source and the fix.

Dependency-free (stdlib + SQLite). Runs on 127.0.0.1 only.

⚠️ deadwood is intentionally vulnerable, by design. It refuses to bind anything but loopback unless you force it. Never expose it to a network, a VM bridge, or the internet. Attack only this app, on your own machine.

• Install
• Run it
• How a level works
• The levels
• Pairing with wraith & hickok

Install

pipx install deadwood-sec      # gives you the `deadwood` command

Or from a clone: pip install -e . — or run it with no install: PYTHONPATH=src python3 -m deadwood.

Run it

deadwood serve                 # http://127.0.0.1:8666  (the town map)
deadwood levels                # list the rooms and your progress
deadwood learn first-blood     # a level's briefing: objective, hints, source, the fix
deadwood flag first-blood 'DEADWOOD{...}'   # submit a captured flag

Open the map in a browser, pick a room, and point your tools at the app URL it gives you (e.g. http://127.0.0.1:8666/l/first-blood/app?id=1).

How a level works

Every room is the same shape, easy to the hard:

• a realistic app (the fictional Deadwood Telegraph & Trust Co. — employees, customers, accounts, telegrams) with one real flaw;
• a flag to capture (DEADWOOD{...}, unique to your install);
• progressive hints — reveal them one at a time, only if you want them;
• the vulnerable source and how to fix it, once you ask (spoilers).

Play blind for the CTF, or lean on the hints and learn for the tutorial. Your captures are tracked locally.

The levels

Tutorial → impossible. Each maps to a technique you can practise by hand or drive with hickok/wraith:

#	Room	Tier	Vector
1	First Blood	Tutorial	SQL injection — UNION (in-band)
2	Whispers	Easy	SQL injection — boolean-blind
3	The Telegraph	Medium	SQL injection — time-based blind
4	Back Door	Medium	OS command injection → shell

(more rooms land as the range grows — auth bypass, filtered/WAF'd injection, SSTI, and the Vault.)

Pairing with wraith & hickok

deadwood is the range the tools grew up on. A typical run:

deadwood serve &                                   # the town
hickok sql -u 'http://127.0.0.1:8666/l/first-blood/app?id=1' -p id --dump secrets

When a tool can't take a room, that's a bug to fix in the tool; when a room is too easy, that's a room to harden. They sharpen each other.

License

MIT.

---

Deadwood, 1876 — where the dead man's hand was dealt.